What's Your Viewpoint On This

For research purposes only for now, but as can clearly be noticed the drivers for KIS6, Cyberhawk, Spyware Terminator, Ghost Security Suite and System Safety Monitor all have a chosen position in the SDT Table here. I might add no issues or conflicts of slowdowns are even present with this combo. Which security protection is most likely to keep from being displaced in event of some forced attempt to overtake any of these lines.

Another question is which product is most likely to take charge "FIRST" and why in event of some intrusion to overtake these guarded instructional sections.

http://img.photobucket.com/albums/v391/carbondioxide/sdt.jpg

Attached Files:

Every XP PC has this integral element that tells a lot about how naked and exposed your system is or else convered with a security sentry stationed to keep you alert as to what might have some malicious design or intent to your internal wokings without your knowledge, in effect, stealing control of signals intended only for your useage or the machine's normal operational duties.

The more you can visually see what belongs to your system compared to what doesn't have permission to intrude you, the more interested you will be to encouraged to fill that gap responsibly and protect your self from forced computer invasion.

It´s really hard to believe that you´re running all these tools at the same time. And why on earth do you need both GSS and SSM, isn´t one of them enough? And if you have KIS do you really need CyberHawk? This is one of the most "bloated" setups I have ever seen. Are you sure your PC is running perfectly stable without any slowdowns?

It´s really hard to believe that you´re running all these tools at the same time. And why on earth do you need both GSS and SSM, isn´t one of them enough? And if you have KIS do you really need CyberHawk? This is one of the most "bloated" setups I have ever seen. Are you sure your PC is running perfectly stable without any slowdowns?

Click to expand...

Give credit to those program developers. I would never heap that many hookers to the SDT Table if they showed the least issue or made for a slowdown which oddly to my surprise they don't. Plus they work fine in unison with one another. Don't ask me why, i'm no code specialist in those microsoft internals but i do know they perform side by side without ill effects, and on a rather enemic setup of DURON (single core) 1250 with a mere 512MB of ram. Top that with the customations i use for all my folders (eye candy) with their special effects on opening and you might think it would be too slow for any good use, but not the case at all, and i couldn't be happier.

No matter how you stack it up or whatever other conclusions you arrive at, the SDT table is but one popular area hooked because it works for security and at preventing being overtaken or 0wned! by malicious intent.

Well from my expercience I can tell that running too many realtime tools is normally not really the way to go because sooner or later they will start to conflict. And why let various tools monitor the same stuff? I really think that if you have KIS and SSM Pro, you don´t need GSS, CyberHawk, Launch Monitor and Spyware Terminator.

Well from my expercience I can tell that running too many realtime tools is normally not really the way to go because sooner or later they will start to conflict. And why let various tools monitor the same stuff? I really think that if you have KIS and SSM Pro, you don´t need GSS, CyberHawk, Launch Monitor and Spyware Terminator.

Click to expand...

I'm sorry but i disagree and allow me to use an example. There is no overlap if you review with Ice Sword/RKUnhooker or another SDT Table lister. Each program uses it's drivers to position at particular lines of instruction and not compete for the same ones. If they were to do that, surely conflicts with blue screens would quickly happen, in even cancelling each other out.

I'm no code expert in the System Descriptor Table but i welcome a specialist who is to refute or confirm my idea on this. If anything might be considerd overkill i would reason it might involve resource useage alone but never fighting over which kernel module gets an assigned addressed first. I think thats decided at install. If i stand corrected in any way please point out for me the accuracy i'm mising, because i am not perfect especially when delving this deep in kernel modules positions from security programs. It's purely been my observance from where i see they are located at and what triggers a first response is related to the instruction being signalled to from an outside force, perhaps windows itself?

The author, who is much more knowledgeable than I am, speaks of an "SSDT hooking chain", stating that more than one driver can hook the same element.

It is my (unconfirmed) belief that anti-rootkit programs show only one element in the chain, either the first or last, I have no idea which. Perhaps someone with more knowledge can explain this.

If this is true, then I would really like to know if there are any programs out there that will show the entire chain. A search on Google didn't turn up anything helpful.

Also, if this is true, then your statement that there is no overlap in your security program hooks in not quite accurate, even though they all run well together. This is not a blast at you, merely a request for clarification.

I'm sorry but i disagree and allow me to use an example. There is no overlap if you review with Ice Sword/RKUnhooker or another SDT Table lister. Each program uses it's drivers to position at particular lines of instruction and not compete for the same ones. If they were to do that, surely conflicts with blue screens would quickly happen, in even cancelling each other out.

Click to expand...

You are wrong. And frankly I'm surprised that you didn't know this.

As Gene Benson notes, those tools you use show only one entry (the last I think).

A simple seperate install (there are other ways)will easily prove that almost all the HIPS hook at least half a dozen places in common! Heck even AV and firewalls do these days. And no that doesn't mean it will automatically blue screen.

I didn't know your claim of no overlap rests on the whole "show the SSDT table and noticing that there is only one entry on each line." I thought your claim of no overlap was no functionality/features overlap like what Rasheed is claiming.. Or maybe you installed each one seperately and checked... which come to think of it isn't reasonable.

Didn't it strike you how strange it was that despite the fact that the HIPS share so many functions and yet they all happen to hook different places? Or that you have never seen more than one entry per line?

A simple seperate install (there are other ways)will easily prove that almost all the HIPS hook at least half a dozen places in common! Heck even your AV and firewalls do.

Wouldn't be the first time or the last either for that matter , but don't you also find it odd there is but little real discussion lately when it comes to the hooking of the SDT Table with so many HIPS coming to the forefront and as you say hooking the same areas as opposed to my simple observations of the table lists/instructions courtesy programs designed to show those features of your system.

No matter, speculation or fact, the technology going into these HIPS are proving more stability in a crowd then before, and for some like me that spells better coverage & code signal interception in those vital areas.

Let me ask you one thing, in addition to running all these tools at the same time, are you also letting them watch for the same stuff? I mean, you can of course also disable certain things in the HIPS but since most of them have the same abilities, it still doesn´t really make any sense to run them all.

Btw, I got a PM from DA, in which he told me that I myself also had quite a heavy setup a while ago (AntiVir Classic, ZA Pro, SSM Free/Pro, Neoava), but I don´t see what´s so heavy about it, they all do different things (scanner/firewall + 2 HIPS), isn´t a layered approach recommended?

Normally I would agree that you shouldn´t use 2 HIPS, but there weren´t any big problems and as you know I like to have as much protection as possible. However it´s not really comparable to your situation IMO.

I understand your point of view, I also try to cover as much as possible and some HIPS have unique features. However, I think that 2 HIPS is enough (to complement each other). I also wonder if anyone has actually done tests to determine if in case one HIPS misses something, the other one(s) can spot it? That would be nice, but I wouldn´t like to respond to 2 or 3 alerts about the same stuff. And I certainly wouldn´t dare to run 5 or 6 HIPS like Easter does.

Of course i'm also right in line with those same reasonings, the Layered approach plus minimizing errors echos exactly why i prefer to apply a HEAVY layer approach of defense programs, given of course the usual, no issues/conflicts/ and they ALL work independently of each other (no overlap) which would cause sudden malfunctions/a shutdown/errors etc. while occupying the same system.

I run on a regular basis by the way Cyberhawk/EQSecure 3.3 (beta)/System Safety Monitor = 3 HIPS. I know there are more listed in my siggy but those others are my personal preferences in testing malwares i found adequate enough to those tasks.

I have run a series of them (maybe for a few hours) at a time (while testing mals) which then does make it up to 6 HIPS when you take into account also running KIS6.

When i go hunting for malware drivebys i definitely fire up Power-Shadow because some of them are extremely aggressive at patching system files, reg settings, crippling XP security policies and such.

So in effect my extra heavy shielding serves up plenty of confidence in what i have to do and saves eons of time that might otherwise be wasted restoring/repairing due to some errant malware binded virus or whatever else comes weilding in with those droppers.

I understand your point of view, I also try to cover as much as possible and some HIPS have unique features. However, I think that 2 HIPS is enough (to complement each other). I also wonder if anyone has actually done tests to determine if in case one HIPS misses something, the other one(s) can spot it?

Click to expand...

Logically speaking if there are no conflicts, combining 2 HIPS = getting the feature sets of both, so assuming that, there is no need for testing. Just ask yourself, is there some vector that one HIPS blocks but the other doesn't? How important is getting the extra prompt for some other feature? Do I really need a prompt on everything that happens?

However in the real world, conflicts do exist, though people here seem to think if the system doesnt' crash it means everything is fine and dandy. Sadly most of such conflicts are a lot more subtle.

More interesting is to see if using 2 HIPS can cause both to miss something (conflicts, issues), when initially they could spot it on its own!

That would be nice, but I wouldn´t like to respond to 2 or 3 alerts about the same stuff. And I certainly wouldn´t dare to run 5 or 6 HIPS like Easter does.

Click to expand...

I'm not sure if Easter answered your question directly.

The question here is what does overlap mean?

Easter keeps talking about no overlap, but his definition of that seems to mean, his system doesn't crash. (It's hard to know if there is no issues/conflicts)

For you (RASHEED) it means only one prompt per trigger, which you achieve by turning off parts of some HIPS.

IMHO the difference between the two of you is one of you gets more prompts than the other, but the issues if they exist are still there. AFAIK, if you "turn off" some HIPS feature, it merely means the HIPS will give a free pass (= allow all), but the hooks are still there.

Not at all really. I have no reason or purpose to withhold posting of that from any discussion thread and not just this topic alone should an issue or conflict make for some concern. Its in the mutual benefit of everyone to bring that to this forum's attention and let discussion take it from there and that's what i will continue to do unabated or influenced.

Anyone can just as easily test them as i do if you (1) Rather use an alternate machine (2) Can FD-ISR to former snapshot in case of problems (3) If you trust Power Shadow you could rest easy in case some HIPS rips your system apart.

I choose none of the above and not afraid to do so either because i yet to run into a HIPS that is that god-awfully constructed that it would crush the system and cause reinstall/repair. That'ssingle HIP (1), i started piling them on when i realized the developers have now sharpened those programs immensely to coexist safely with LISTS of other security programs. Those vendors do cooperate with respecting the users and each other that way you know. It's logical ethics in this technological realm of businesses and people see the results for themselves, like myself for one.

I did have some problems with SensiveGuard lately (affecting boot-up) and have already posted my results and will not test it again untill updated.

On several examples of my own experimenting with HIPS setups, (and testing with malware) anyone here who is read enough of my posts can clearly see i have no reservations or fear of heaping HIPS together from GhostSecuritySuite/SSM/CyberHawk/PG/ to KIS6/EQSecure/Spyware Terminator so on and so forth.

In fact the only crash i have encountered so far was with a rather heavy & sophisticated weather radar program that i knew probably would be tipping the balance anyway, and it did but only crashed Explorer not the entire machine.

In retrospect, no combination of HIPS i have crowded together so far even crashed explorer let alone make any other conflicts or issues that i assume you reference as slowdowns in opening programs and explorer folders & such.

Not at all really. I have no reason or purpose to withhold posting of that from any discussion thread and not just this topic alone should an issue or conflict make for some concern.

Click to expand...

People are very good at deceiving themselves. Leaving that aside, your remarks above don't give me much confidence you are competent enough to detect *subtle* or even not so subtle conflicts. Your methodology seems to be , if it doesn't not crash it is fine. Plus of course the whole misunderstanding about SSDT to support the conclusion you already held in advance.

I myself have experience playing with tweaks, running software that appear fine for 6 months and more, but later I find some rarely used function not working later, and after much work I trace it to the tweak, or to the software I installed (verified by uninstalling the software and the problem disappears).

Anyone can just as easily test them as i do if you (1) Rather use an alternate machine (2) Can FD-ISR to former snapshot in case of problems (3) If you trust Power Shadow you could rest easy in case some HIPS rips your system apart.

Click to expand...

Again you assume that if your system doesn't crash after playing with 1 or 2 hours, it means everything is fine. using VM, other machines etc is great, and we all do that, but testing for stability is not just a matter of install it, see if it doesn't crash, play with it for a while, that's it.

I choose none of the above and not afraid to do so either because i yet to run into a HIPS that is that god-awfully constructed that it would crush the system and cause reinstall/repair. That'ssingle HIP (1), i started piling them on when i realized the developers have now sharpened those programs immensely to coexist safely with LISTS of other security programs.

Click to expand...

A very bold assertion with no basis in fact. Do you really believe the guys at SSM, Neoavaguard, Prosecurity, really test to ensure that their products co-exist safely with their competitors ?

Do you really think, they keep up with each and every rapid update by their competitors and make sure theirs always work properly without conflicts?

heck most of them will tell you to just use one (prefably theirs), I can't really imagine them spending even 0.00001% of the time considering the case of a super paranoid user who uses half a dozen HIPS together.

If they do consider compatibility it is more with other main stream products like firewalls and antiviruses, even then I don't think this is done a lot. It's a simple matter of cost-benefit. How many people are paranoid enough to run neoavaguard, SSM, prosecurity together? Even here here we have the most the most HIPS crazy crowd in the world, everyone pretty much agrees it is overkill...

On several examples of my own experimenting with HIPS setups, (and testing with malware) anyone here who is read enough of my posts can clearly see i have no reservations or fear of heaping HIPS together from GhostSecuritySuite/SSM/CyberHawk/PG/ to KIS6/EQSecure/Spyware Terminator so on and so forth.

Click to expand...

Sadly, when people ask is X compatible with Y on forums, we rely on people like you to give their *impressions* of whether something is compatible.

Typically when people like you say there is no conflicts, all one can conclude is, if one installs it, most likely the system won't immediately crash.

In retrospect, no combination of HIPS i have crowded together so far even crashed explorer let alone make any other conflicts or issues that i assume you reference as slowdowns in opening programs and explorer folders & such.

Click to expand...

actually i agree outright crashes (after install) are not that common all things considered and those are quickly reported (any idiot can spot those). The more difficult cases are when things seem to work okay for a while, until some event causes it to crash.

In any case, I suspect you are either trolling (particularly given your system specs ), or you are naive beyond words.......

In any case, I suspect you are either trolling (particularly given your system specs ), or you are naive beyond words.......

Click to expand...

Devil's Advocate? You are only continuing to instigate and deliberately try to grind out disagreement and offer nothing more but stalking my posts for the sake of complaining how i conduct my own systems and the softwares used with them, methods, and techniques.

Your PM's as of this post are also no longer accepted because i have answered them fairly and as best i could only to find you follow up with even more complaints on a daily basis in some ongoing fun game you are playing and i don't have time for that.

Furthermore if you have an ax to grind with me (Unfairly Indeed!) or other personal problem with how i enter Topics and answer discussions here at Wilder's or my posting habits just because you disagree with my own methods or observations offered then i suggest you take that issue up with Paul Wilder's , Bubba or another Moderator/Admin but your comments are way out of order especially in reference to the accusation of trolling.